• State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 754 views
  • Users 0 members are here
Options
Related

Dynamic Group rebuild are "polluting" user Change History

MAK
5 months ago

Hi All,

I've been searching around the forum and can't find an answer to my question. Perhaps others are not experiencing this or don't see it as an issue.

We have users that are in a few (large) dynamic groups. Whenever a group is automatically rebuilt which is often, users' Change History is full of the changes and it's really difficult to find details on anything else that happened to the account.

I've been looking for a way to exclude the Dynamic Groups from Change Tracking, but so far I have not been able to do this.

Is this possible? If not, does anyone have any suggestions how we could work around it?

Thanks,

Parents
  • 0 5 months ago

    Hello, Mak.

    This is more of a thought experiment, as I've never tested it, but you could possibly try making adjustments to where the "Built-in Policy - Change Tracking" policy is linked. By default it is linked to the Active Directory node. You could possibly create a query-based Managed Unit that contains all Dynamic Groups, then block the inheritance of that policy on this Managed Unit. Of course, this means you would lose all Change History on Dynamic Groups. If you wanted to get fancier, you could create a copy of that built-in policy and configure it such that it captures/tracks everything except the Members attribute and apply that to your Managed Unit.

    Now, this might theoretically block the Change History for the Dynamic Groups themselves, but I'm not sure what, if any, impact this might have on the "Member Of" tracking on the users themselves. Might be worth a few minutes of testing, though.

    Cheers!
    Shawn

  • 0 5 months ago in reply to Shawn.Ferrier

    Hi Shawn,

    I've tested it and while it works on the item it's applied to, the config does not extend to users.
    It basically blocks inheritance of that policy on the "All Dynamic Groups" managed unit and removes the option to view Change History. You can still see all the logs on user accounts and directly on Dynamic Groups. This might be because they're elsewhere in the tree and the policy still applies to them.
    I'll try and test the policy scoping and its inheritance some more.

    Cheers,

    M

Reply
  • 0 5 months ago in reply to Shawn.Ferrier

    Hi Shawn,

    I've tested it and while it works on the item it's applied to, the config does not extend to users.
    It basically blocks inheritance of that policy on the "All Dynamic Groups" managed unit and removes the option to view Change History. You can still see all the logs on user accounts and directly on Dynamic Groups. This might be because they're elsewhere in the tree and the policy still applies to them.
    I'll try and test the policy scoping and its inheritance some more.

    Cheers,

    M

Children
No Data